Date: Tue, 4 Jul 2006 19:27:59 GMT From: Clément Lecigne <clem1@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 100570 for review Message-ID: <200607041927.k64JRxAX080495@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=100570 Change 100570 by clem1@clem1_ipv6vulns on 2006/07/04 19:27:45 Some improvements around icmpsicng.c (mainly for rtadvd and rtsol fuzzing) Affected files ... .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#2 edit .. //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#3 edit Differences ... ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/ChangeLog#2 (text+ko) ==== @@ -1,8 +1,17 @@ +ISICNG (v0.0.2) 04/07/03, by Clément Lecigne (clem1@FreeBSD.org) + + o Some new feature added to icmpsicng.c + o new parameters related to packet size + -z minsize -Z maxsize -K multiple + o support of icmp option for neighbor discovery + related icmp message. + o bug fix around checksum calculation. + -ISICNG (v0.1) 06/07/03, by Clément Lecigne (clem1@FreeBSD.org) +ISICNG (v0.0.1) 03/07/03, by Clément Lecigne (clem1@FreeBSD.org) - - Port of all *sic.c to IPv6 - isicng.c supports IPv6 and extension headers fuzzing. - tcpsicng.c is used to exercise the `TCPv6 stack'. - udpsicng.c is used to exercise the `UDPv6 stack'. - icmpsicng.c is used to exercise the `ICMPv6 stack'. + o Port of all *sic.c to IPv6 + isicng.c supports IPv6 and extension headers fuzzing. + tcpsicng.c is used to exercise the `TCPv6 stack'. + udpsicng.c is used to exercise the `UDPv6 stack'. + icmpsicng.c is used to exercise the `ICMPv6 stack'. ==== //depot/projects/soc2006/clem1_ipv6vulns/fuzzers/isicng/icmpsicng.c#3 (text+ko) ==== @@ -26,12 +26,18 @@ main(int argc, char **argv) { int c; + u_int a; u_char *buf = NULL; u_short *payload = NULL; u_int payload_s = 0; struct libnet_icmpv6_hdr *icmp = NULL; + struct icmp_option_base_header { + u_int8_t type; + u_int8_t length; + } *icmp_opt; + /* libnet variables */ char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; @@ -41,8 +47,8 @@ struct libnet_ipv6_hdr *ip6; struct libnet_in6_addr ip_src, ip_dst; u_int32_t flow; - u_int8_t tc, hl, ver, *nx, eo; - + u_int8_t tc, hl = 0, ver, *nx, eo; + u_int32_t maxsize, minsize, multiple; struct libnet_ipv6_frag_hdr *ip6f = NULL; #ifdef LIBNET_BSDISH_OS @@ -74,13 +80,18 @@ float ND = 15; float RT = 15; float NI = 15; + float IcmpOpt = 0; + + maxsize = 1279; + minsize = 128; + multiple = 1; /* Not crypto strong randomness but we don't really care. And this * * gives us a way to determine the seed while the program is running * * if we need to repeat the results */ seed = getpid(); - while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:V:F:I:T:R:E:U:M:O:N:W:vx:")) != EOF) + while((c = getopt(argc, argv, "hd:i:s:r:m:k:D:S:p:H:V:F:I:T:R:E:U:M:O:N:W:P:z:Z:K:vx:")) != EOF) { switch (c) { @@ -93,6 +104,9 @@ case 'R': Redir = atof(optarg); break; + case 'P': + IcmpOpt = atof(optarg); + break; case 'E': Echo = atof(optarg); break; @@ -111,10 +125,22 @@ case 'W': NI = atof(optarg); break; + case 'z': + minsize = atoi(optarg); + break; + case 'Z': + maxsize = atoi(optarg); + break; + case 'K': + multiple = atoi(optarg); + break; case 'h': usage(argv[0]); exit(0); break; + case 'H': + hl = atoi(optarg); + break; case 'd': dst_ok = 1; if (strncmp(optarg, "rand", sizeof("rand")) == 0) @@ -242,7 +268,7 @@ if (smac == NULL) memcpy(buf + 6, libnet_get_hwaddr(l), 6); else - memcpy(buf + 6, smac, 6); + memcpy(buf + 6, libnet_mac2eth(smac), 6); memcpy(buf + 12, "\x86\xdd", 2); eo = 0xe; #else /* !BSD */ @@ -266,7 +292,7 @@ BadIPVer /= 100; FragPct /= 100; ICMPCksm /= 100; - + IcmpOpt /= 100; TooBig /= 100; Redir = Redir / 100 + TooBig; Echo = Echo / 100 + Redir; @@ -287,7 +313,8 @@ off = eo; memset(buf + eo, 0x0, IP_MAXPACKET - eo); - hl = rand() & 0xff; + if (!hl) + hl = rand() & 0xff; flow = rand(); tc = rand() & 0xff; @@ -300,7 +327,9 @@ ver = rand() & 0xf; else ver = 6; - payload_s = rand() & 0x4ff; /* length of 1279 */ + do{ + payload_s = (rand() % maxsize) + minsize; /* length of 1279 */ + }while (payload_s % multiple); /* build ipv6 header */ ip6 = (struct libnet_ipv6_hdr *) (buf + off); @@ -328,6 +357,7 @@ ip6f->ip_frag = rand() & 0xffff; ip6f->ip_id = (rand() % 10) ? rand() : getpid(); off += 8; + payload_s -= 8; } icmp = (struct libnet_icmpv6_hdr *)(buf + off); @@ -339,6 +369,7 @@ icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; icmp->icmp_mtu = rand(); off += 8; + payload_s -= 8; } else if (what <= (RAND_MAX * Redir)) { @@ -354,6 +385,7 @@ } icmp->icmp_dst = randipv6(); off += 36; + payload_s -= 36; } else if (what <= (RAND_MAX * Echo)) @@ -362,6 +394,7 @@ icmp->icmp_code = (rand() % 2) ? 0 : rand() & 0xff; icmp->icmp_unused = rand(); /* seq + id */ off += 8; + payload_s -= 8; } else if (what <= (RAND_MAX * Unreach)) { @@ -369,6 +402,7 @@ icmp->icmp_code = (rand() % 2) ? rand() % 5 : rand() & 0xff; icmp->icmp_unused = (rand() % 2) ? 0 : rand(); off += 8; + payload_s -= 8; } else if (what <= (RAND_MAX * MLD)) { @@ -384,6 +418,7 @@ icmp->icmp_mcast2[c] = rand() & 0xff; } off += 24; + payload_s -= 24; } else if (what <= (RAND_MAX * ND)) { @@ -398,6 +433,7 @@ icmp->icmp_target2[c] = rand() & 0xff; } off += 24; + payload_s -= 24; } else if (what <= (RAND_MAX * RT)) { @@ -408,6 +444,7 @@ /* solicitation msg */ icmp->icmp_unused = (rand() % 2) ? rand() : 0; off += 8; + payload_s -= 8; } else { @@ -417,7 +454,8 @@ icmp->icmp_rlf = rand() & 0xffff; icmp->icmp_rct = rand(); icmp->icmp_rtt = rand(); - off += 14; + off += 16; + payload_s -= 16; } } else if (what <= (RAND_MAX * NI)) @@ -429,30 +467,44 @@ for (c = 0; c < 8; c++) icmp->icmp_nonce[c] = rand() & 0xff; off += 14; + payload_s -= 14; } else { icmp->icmp_type = rand() & 0xff; icmp->icmp_code = rand() & 0xff; off += 4; + payload_s -= 4; } - -#ifdef LIBNET_BSDISH_OS - if ((payload_s - off + 0xe + 40) > payload_s) - payload_s = 0; - else - payload_s -= (off - 0xe - 40); -#else /* !BSD */ - if ((payload_s - off) > payload_s) - payload_s = 0; - else - payload_s -= (off - 40); -#endif - - payload = (short int *)(buf + off); - for(cx = 0; cx <= (payload_s >> 1); cx+=1) - (u_short) payload[cx] = rand() & 0xffff; - + + if (rand() <= (RAND_MAX * IcmpOpt)) + { + while (payload_s >= 24) + { + icmp_opt = (struct icmp_option_base_header *)(buf + off); + icmp_opt->type = rand() % 5; + icmp_opt->length = (rand() % 2) + 1; + off += 2; + payload = (short int *)(buf + off); + for (a = 0; a < 6; a++) + payload[a] = rand() & 0xff; + if (icmp_opt->length > 1) + { + for (; (signed)a < 6 + ((icmp_opt->length - 1) * 8); a++) + payload[a] = rand() & 0xff; + } + off += ((8 * icmp_opt->length) - 2); + payload_s -= (8 * icmp_opt->length); + } + /* padding */ + payload = (short int *)(buf + off); + for (a = 0; a < payload_s; a++) + payload[a] = rand() & 0xff; + }else{ + payload = (short int *)(buf + off); + for(cx = 0; cx <= (payload_s >> 1); cx+=1) + (u_short) payload[cx] = rand() & 0xffff; + } if (rand() <= (RAND_MAX * ICMPCksm)) icmp->icmp_sum = rand() & 0xffff; @@ -494,7 +546,7 @@ - (tv.tv_usec - tv2.tv_usec) / 1000000.0; if ((datapushed / sec) >= max_pushed) usleep(10); /* 10 should give up our timeslice */ - usleep(500); + sleep(1); } @@ -514,17 +566,19 @@ void usage(u_char *name) { fprintf(stderr, - "usage: %s [-v] [-D] -s <sourceip> -d <destination ip>" + "usage: %s [-v] -s <sourceip> -d <destination ip>" #ifdef LIBNET_BSDISH_OS - "-i <iface> -D <destination mac>\n [-S <source mac>]" + " -i <iface> -D <destination mac>\n [-S <source mac>]" #else /* !BSD */ "[-i <iface>\n " #endif " [-r seed] [-m <max kB/s to generate>]\n" " [-p <pkts to generate>] [-k <skip packets>] [-x <send packet X times>]\n" + " [-z <minsize>] [-Z <maxsize>] [-K <size multiple>]\n" "\n" " Percentage Opts: [-F frags] [-V Bad IP Version]\n" - " [-I Bad checksum>]\n" + " [-H hop limit] [-I Bad checksum]\n" + " [-P IcmpOpt]\n" " [-T Toobig] [-R Redirect] [-E Echo]\n" " [-U Unreach] [-M MLD] [-O Router]\n" " [-N Neighbor] [-W node info]\n"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200607041927.k64JRxAX080495>